Re: [PATCH v10 03/50] KVM: SEV: Do not intercept accesses to MSR_IA32_XSS for SEV-ES guests

From: Paolo Bonzini
Date: Wed Dec 13 2023 - 12:41:09 EST

Next message: Amelie Delaunay: "[PATCH] dmaengine: add channel device name to channel registration"
Previous message: Paolo Bonzini: "Re: [PATCH] KVM: selftests: fix supported_flags for aarch64"
In reply to: Sean Christopherson: "Re: [PATCH v10 03/50] KVM: SEV: Do not intercept accesses to MSR_IA32_XSS for SEV-ES guests"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 12/13/23 18:30, Sean Christopherson wrote:

For now, all we can do is document our wishes, with which userspace had
better comply. Please send a patch to QEMU that makes it obey.

Discussed this early today with Paolo at PUCK and pointed out that (a) the CPU
context switches the underlying state, (b) SVM doesn't allow intercepting*just*
XSAVES, and (c) SNP's AP creation can bypass XSS interception.

So while we all (all == KVM folks) agree that this is rather terrifying, e.g.
gives KVM zero option if there is a hardware issue, it's "fine" to let the guest
use XSAVES/XSS.

Indeed; looks like I've got to queue this for 6.7 after all.

Paolo

Next message: Amelie Delaunay: "[PATCH] dmaengine: add channel device name to channel registration"
Previous message: Paolo Bonzini: "Re: [PATCH] KVM: selftests: fix supported_flags for aarch64"
In reply to: Sean Christopherson: "Re: [PATCH v10 03/50] KVM: SEV: Do not intercept accesses to MSR_IA32_XSS for SEV-ES guests"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]